If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

ctrl+c vulnerablility at startup

a friend recently e-mailed me about os x, stating that on versions 10.2.7 and lower if you hold control c down during after turning on the machine it stops the init script and drops you into a shell with root permissions. Does anyone know of a way do protect against this? I checked the apple site and came up with nothing. This really scares me if people at people at work can come in and just restart a machine and gain access to all files on our os x systems and apple doesnt even have a fix available for download.(at least not that i can find)

Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots

I have known about this for a LONG time. We messed around and printed funny messages to other school districts. Yeah when you hold down ctrl and C...or Ctrl then the apple key as we called it and C it would stop loading all non essential programs pretty much...including the security system(which at the time was called OnGuard). However you were not on the network as the tcp/ip protocol is not loaded. Well after that you just toss the file that makes the security system boot up in the trashcan and reboot...now you are on the network with no security system in place. You can then make administrator accounts and so on. Then after your all done you toss the security boot file back in its original place and reboot. Now everything is back the way you found it.

I have to say this is really stupid. Making it so easy to gain root access. Although I doubt anyone is using that version of Mac OS X. Evrybody upgrades when a new version comes out, why shouldn't you? Btw its at version 10.3.3 now. And one more thing, Macs a nice

well, actually this is what's known as "single user mode". All linux systems have this "feature". It allows the administrator to rescue a system if there's catastrophic problem.

Since OSX is a BSD system, basically a unix it also has this feature... Solaris, OpenBSD, FreeBSD, Linux, HP-UX,... all have this feature.

windows does NOT have this feature, therefore whenever your filesystem crashes, or your passwords get mangled and you aren't able to login, you have to resort to using boot disks to maybe beable to fix your problems, or buy tools that give you the abilities to access your system or change your passwords.

The only real way to stop it is to remove physical access to the machine.

well, actually this is what's known as "single user mode". All linux systems have this "feature". It allows the administrator to rescue a system if there's catastrophic problem.

Since OSX is a BSD system, basically a unix it also has this feature... Solaris, OpenBSD, FreeBSD, Linux, HP-UX,... all have this feature.

windows does NOT have this feature, therefore whenever your filesystem crashes, or your passwords get mangled and you aren't able to login, you have to resort to using boot disks to maybe beable to fix your problems, or buy tools that give you the abilities to access your system or change your passwords.

The only real way to stop it is to remove physical access to the machine.

just an FYI..

It sounds like a good thing to have if something goes wrong with the system... But isn't it just asking for disaster? As you said, the only real way to stop it is to remove physical access to the machine. But doesn't that sort of defeat the purpose if it's meant to be used by people at all?

For example, in my school a lot of teachers have Macs in their classrooms. Unless they've disabled this 'feature' using the method lumpyporridge mentioned (which I highly doubt as most of them are computer-illiterate), anyone who knew about this could wreak havoc. Especially if they are connected to the network. I think most of them are.

IMO, it sounds like a path to disaster. But I've probably used a Mac about 2 times in my life... So I don't really know. Maybe I'm missing something here.

It sounds like a good thing to have if something goes wrong with the system... But isn't it just asking for disaster? As you said, the only real way to stop it is to remove physical access to the machine. But doesn't that sort of defeat the purpose if it's meant to be used by people at all?

For example, in my school a lot of teachers have Macs in their classrooms. Unless they've disabled this 'feature' using the method lumpyporridge mentioned (which I highly doubt as most of them are computer-illiterate), anyone who knew about this could wreak havoc. Especially if they are connected to the network. I think most of them are.

IMO, it sounds like a path to disaster. But I've probably used a Mac about 2 times in my life... So I don't really know. Maybe I'm missing something here.

mjk

Single User mode, isn't asking for disaster.. it's a savior. My friends server recently dropped when a spam filter was improperly applied. The result was var being filled and the machine crashing and refusing to boot, by booting into single user mode (without any daemons loading.) we were able to save the machine and get it back online in under an hour.

Can it be a bad thing?? Yes. However you should limit physical access to important machines to those who need it. You should also secure a machine... if you choose not to secure a machine, even without something like Single User Mode, you are in trouble. Besides.. we're talking physical access... As soon as someone has physical access all bets are lost. You'd have to boot the the hdd first, and password protect the BIOS. Remove access to cd-rom and floppy drives just to be safe, use security screws so they can't remove the case easy (if they have the tool they still can).. You can apply policies... but how closely are you monitoring those? Apply a group policy on an NT-Based network and watch someone get around it. Login, shutdown the machine, unplug the network cable, reboot, your profile is still cashed so you log back in, no group policy because you aren't on the PC, then just plug in the network cable. So you have to make sure the PCs have a local policy as well, but then you don't want to apply that policy to the administrator account. There are a lot of things you have to watch if you are going to give physical access, and you have to be trustworthy....

However defeating access to easily getting into Single User Mode is rather simple on a public machine, Leave the machine booted. let users log in and log off... if they shutdown have a boot password that only the admin knows... If they want it powered on they have to come ask... that way the admin (or someone trusted) is there when they log in and can make sure no funny business occurs.

Peace,
HT

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

You made some good points HTR, I like the idea of having a boot password then leaving the computer on all the time... I never thought of that.

Still, though, it could potentially be a problem if the proper security measures aren't taken. I'd be willing to bet that the Macs in the classrooms at my school aren't secured. I've never used them though, so maybe I'm not giving my teachers enough credit.